Hi! I just want to share my hack, as it will likely be valuable to others as well. I have a not so uncommon setup: People login via HTTP Basic Authentication (popup window in the webbrowser). The webserver manages the login via LDAP. Once logged in, they have access to several webservices like wiki, file safe (Nextcloud or something), InfCloud and others. So clearly I do not want any login page. The login credentials are known by the webserver and webbrowser. The webbrowser will happily send them again without user interaction. Officially there seems to be no way to login without the login screen, but without hard-coding credentials in the config.js.
Ok. Generally, this is not so easy, because in Javascript you cannot access the browser’s authentication cache—for good reason. But in my case (and maybe in your case, too) the InfCloud files are provided by the same webserver that also serves as the WebDAV server (DAViCal in my case); and also by the same vhost. (This might later be important—see below. I have no special subdomain for DAViCal.) So there are no (additional) security concerns in sending the credentials once again from the browser to the webserver and back again, so I can read them in my Javascript. Here is what I have done:
1) Rename InfCloud’s index.html to index.php.
You should try this out. Maybe you better use another language, if PHP is not available to your webserver. In my case, DAViCal is running on the same webserver, which is written in PHP. So, obviously, I can run PHP scripts.
2) In the lines around 620 in index.php, there are some hidden form fields (<input id="foo" type="hidden" value=""/>. Add two more like this:
<input id="foo-login" type="hidden" value="<?=htmlspecialchars($_SERVER['PHP_AUTH_USER'])?>"/>
<input id="foo-pw" type="hidden" value="<?=htmlspecialchars($_SERVER['PHP_AUTH_PW'])?>"/>
The effect is, that the user gets back an HTML file with their login credentials in cleartext in there. Don’t do this, if this is risky in your setup. In most cases this should not be risky, as the browser knows the credentials anyway; as well as anyone who can read the traffic between the browser and the InfCloud webserver.
3) In the beginning of the index.php, inside the <head></head> section, there are several lines starting with “<script”. Move all these lines to the end of the document, right before the closing </body> tag.
The Javascript needs to be loaded after the rest of the document, because otherwise the Javascript code in the beginning would not have access to the content of the document, i.e. to our credentials.
4) In config.js, enable the globalAccountSettings method (that one with the hard-coded credentials). But instead of really hard-coding some credentials there, you type (for example, if you have DAViCal installed in /cal/ and rewrite the URLs in your webserver config, so you can omit the part “/caldav.php”):
href: 'https://example.com:443/cal/'+document.getElementById('foo-login').value+'/',
userAuth:
{
userName: document.getElementById('foo-login').value,
userPassword: document.getElementById('foo-pw').value
},
If both the WebDAV server and the InfCloud files are below the same principal URL (same vhost), then a better solution would be, if InfCloud would simply try to access the WebDAV server without sending any login credentials. The WebDAV server would then reply with 401 and the browser would resend the request with the already-known credentials in the request header. This would be much less of a hack. Maybe somene else wants to try that.
Love
Torsten
All of a sudden InfCloud is missing events.
I'm running InfCloud 0.13.2.rc2 since the end of 2015 using FireFox on
Fedora. The DAViCal server is running on a separate system.
InfCloud didn't change and neither did the DAViCal server. I did upgrade
FireFox as part of regular system upgrades.
This morning I noticed, the hard way, that a repeating event was missing
from InfCloud. It is just gone. All occurrences, including past occurrences.
The event is on the server, since other clients (Android phones and
tablets) display it.
This worries me very much. Is there anything I can do to find out what is
going on? I tried cahce_update but that didn't make a difference.
Update: InfCloud with Chromium doesn't show the missing events either.
Hi everyone,
Does infcloud support header "Access-Control-Allow-Origin <a-domain>"?
I tried to configure my caldav server with "Access-Control-Allow-Origin"
header set to <a-domain>", but infcloud seems to be unable to connect
the caldav server, reporting the following error in the browser's console:
> "Error: [netCheckAndCreateConfiguration: 'PROPFIND
https://<a-domain>/dav/'] code: '0' status: 'error' - see
https://www.inf-it.com/infcloud/readme.txt (cross-domain setup)"
webdav_protocol.js:120:4
When I set this "Access-Control-Allow-Origin" header to "*", it works.
I find it more secure to be able to set this header.
Can you tell me how is infcloud supposed to work with this header?
Thank!
